$user_login double escaped with incorrect/empty password in wp-login.php

[johnjamesjacoby]

First:

		if ( isset( $_POST['log'] ) ) {
			$user_login = ( 'incorrect_password' === $errors->get_error_code() || 'empty_password' === $errors->get_error_code() ) ? esc_attr( wp_unslash( $_POST['log'] ) ) : '';
		}

Then:

<input type="text" name="log" id="user_login"<?php echo $aria_describedby_error; ?> class="input" value="<?php echo esc_attr( $user_login ); ?>" size="20" autocapitalize="off" />

Fix is to late escape only, and remove the top one.

[johnjamesjacoby]

Relatedly, 'register' action is double wp_unslash()ing $user_email and $user_login.

[rajinsharwar]

Lets see what others thunk about it.

[rajinsharwar]

Pretty minor change, adding 2nd opinion if we really need this change.

Trac ticket: https://core.trac.wordpress.org/ticket/55335

[SergeyBiryukov]

In 58623:

Login and Registration: Remove redundant escaping in wp-login.php.

• $user_login in the login action is already escaped on output.
• $user_login and $user_email in the register action are already unslashed a few lines above.

Follow-up to [3120], [4339], [8454], [11104], [23416], [23554], [23594], [46640].

Props johnjamesjacoby, rajinsharwar, narenin.
Fixes #55335.

Thanks for the PR! Merged in r58623.